Chrome extensions hijack Claude AI

Browser extensions are supposed to be sandboxed. That is the whole deal. One extension should not be able to quietly borrow another extension’s privileges and start acting as you. But a new flaw in Anthropic’s Claude for Chrome appears to punch right through that boundary — and that matters because Claude is not just reading web pages. It can reach into Gmail, Google Drive, GitHub, and other connected tools, then take actions there. LayerX disclosed the bug this week, Anthropic shipped a partial fix, and researchers say the core design problem is still bigger than one patch. (layerxsecurity.com) ### What actually broke? The issue, nicknamed ClaudeBleed by LayerX, sits in how Claude’s Chrome extension handles messages from scripts running in the browser. The short version is ugly — the extension trusted messages from the right place without properly checking who sent them. That meant another extension could inject instructions into Claude and get the assistant to treat them like legitimate commands. LayerX says even a low-privilege or zero-permission extension could do it. (layerxsecurity.com) ### Why is that worse than a normal extension bug? Because Claude is an agent, not a passive add-on. A normal compromised extension might scrape a page or steal a cookie. Claude can read context, interpret screenshots, click buttons, fill forms, and use connected services on your behalf. So if an attacker can steer Claude, they are not just stealing one browser capability — they are inheriting a bundle of delegated ones. That is why the proof-of-concept attacks included reading recent email activity, pulling files from Google Drive, and accessing private GitHub repositories. (cyberscoop.com) ### How could an attacker use it? LayerX’s demo is the useful mental model here. The attacker does not need some dramatic malware implant. They just need a malicious extension installed in the same browser. From there, the extension can feed Claude hidden instructions, manipulate what Claude “sees” in the page, and push it toward actions the user never intended. Researchers say they could remove or obscure interface labels around sensitive actions, then prompt Claude to share files or send emails while sidestepping normal confirmation flows. (cyberscoop.com) ### Didn’t Anthropic already work on browser-injection risks? Yes — and that is part of why this story lands. Anthropic has been openly talking about prompt-injection risk in browser agents since at least November 2025, and it said then that no browser agent is immune. It also said some vulnerabilities still needed fixing before Claude for Chrome could be broadly available. So the company clearly knew this class of product creates unusual risk. ClaudeBleed looks like the next, more concrete version of that warning — not just hostile page content, but hostile neighboring extensions. (anthropic.com) ### What changed this week? The change is disclosure plus patching. SecurityWeek and other outlets say Anthropic updated the extension with extra security checks after LayerX reported the issue. But multiple reports describe that as a partial fix, not a clean resolution, and one follow-up report says researchers bypassed the patch within hours. I’d treat that part carefully — the strongest sourcing here is still the original LayerX writeup plus mainstream coverage confirming Anthropic changed the extension. (securityweek.com) ### Why does Chrome matter so much here? Because Chrome extensions live in a weird middle ground. They are more privileged than websites, but users install them casually. That makes the browser a tempting place to build AI agents — and a dangerous place to over-trust message passing between components. LayerX’s argument is basically that ClaudeBleed turns Claude into a privilege-escalation bridge across extensions, which is exactly what Chrome’s security model is meant to prevent. (cyberscoop.com) ### Is this just a Claude problem? No — it is a browser-agent problem. Claude is the example in front of everyone right now, but the broader lesson is that once an assistant can browse, read inboxes, open drives, and touch code repos, every trust boundary around it has to get much tighter. Anthropic itself has said browser use amplifies prompt-injection risk. ClaudeBleed extends that lesson — the model is not the only attack surface. The wrapper around it matters just as much. (anthropic.com) ### Bottom line This is what happens when “helpful assistant” starts to mean “software with your permissions.” The convenience is real. But the catch is simple — if a weak extension can steer a strong agent, the weak extension wins. (layerxsecurity.com)